Re: faster tracker data processing

To: debian-security-tracker@lists.debian.org
Subject: Re: faster tracker data processing
From: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Thu, 1 Oct 2009 21:49:11 -0400
Message-id: <[🔎] 20091001214911.427a9078.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] ha1cb8$5kp$1@ger.gmane.org>
References: <[🔎] ha1cb8$5kp$1@ger.gmane.org>

On Wed, 30 Sep 2009 23:49:54 -0500 Raphael Geissert wrote:

> Hi,
> 
> I haven't had much time lately to actively audit and fix vulnerabilities,
> but I usually take a look at the commits and there are times I see that a
> new CVE id was assigned to some app shipped on Debian.
> 
> What is the general opinion of for example when finding such entries add a
> simple '- package <unfixed>' entry and leave the 'TODO: check' around?

this is a good start, but since your time is limited, it would be wise
to pass the buck to the maintainer (who should have time to work issues
in their packages) via a bug report. you can then add a 'TODO:
follow-up with maintainer (asked to check whether <package> affected)'
or something like that. of course 99% of the time, the maintainer will
do nothing, and one of the other security team members will have to
come back to it, but at least the current state is pretty clear when
they get to it.

> If that's not desirable, maybe a concept of "HINT"s could be introduced,
> where the script that updates the CVE/list file from the CVE db
> automatically adds HINTs of possibly affected packages based on the
> embedded-code-copies files, the technique used by the check-new-issues
> (apt-cache search), and a simple file that could be used to associate full
> project names with a package name (say "Alvaro's Messenger" with "amsn").
> The tracker would of course display the CVE as affecting the HINTed packages
> until the hints are removed from CVE/list.

this seems like a good idea, but i would be cautious.  taking people out
of the loop may be dangerous if not done correctly. i would suggest that
the final product of such a script would be at most a 'TODO:
check <package1>, <package2>, ... (not comprehensive)' so someone will
have a good starting point, but will be aware that the bot's output
isn't a complete list of potentially vulnerable packages.

inject-embedded-code-copies is an existing script that automatically
inserts TODOs for embedded code copies.  it could be set up to run on
every commit, but i need to finish triaging the existing issues to
prevent a deluge of TODOs to begin with.

mike

Reply to:

Follow-Ups:
- Re: faster tracker data processing
  - From: Raphael Geissert <geissert@debian.org>

References:
- faster tracker data processing
  - From: Raphael Geissert <geissert@debian.org>

Prev by Date: Re: Can the tracker fetch version information from the BTS?
Next by Date: Re: faster tracker data processing
Previous by thread: faster tracker data processing
Next by thread: Re: faster tracker data processing
Index(es):
- Date
- Thread